Risk Management

Framework

Version No: 6.0 Final

Issued: June 2018
Next Review: June 2022
Table of Contents
1 Introduction ....................................................................................................................................... 3
2 Purpose ............................................................................................................................................. 3
3 Local Government Risk Services (LGRS) ........................................................................................ 3
4 Risk Management Principles ............................................................................................................ 4
5 Risk Management Framework .......................................................................................................... 5
5.1 Leadership and commitment ........................................................................................................ 5
5.2 Integration .................................................................................................................................... 5
5.3 Design .......................................................................................................................................... 8
5.4 Implementation ............................................................................................................................. 9
5.5 Evaluation..................................................................................................................................... 9
5.6 Improvement ................................................................................................................................ 9
6 Risk Management Process ............................................................................................................. 10
6.1 Communication and Consultation .............................................................................................. 10
6.2 Scope, context and criteria......................................................................................................... 11
6.3 Risk Assessment ........................................................................................................................ 11
6.4 Risk Treatment ........................................................................................................................... 13
6.5 Monitoring and Review............................................................................................................... 15
7 Recording and reporting ................................................................................................................. 16
7.1 General ....................................................................................................................................... 16
7.2 Risk register ............................................................................................................................... 16
7.3 Risk reporting ............................................................................................................................. 17
8 Training ........................................................................................................................................... 17
8.1 Workers ...................................................................................................................................... 17
8.2 Elected Members ....................................................................................................................... 17
8.3 Audit Committee ......................................................................................................................... 17
9 APPENDICES ................................................................................................................................. 18
9.1 Appendix A: Definitions .............................................................................................................. 18
9.2 Appendix B: Consequence Table............................................................................................... 19
9.3 Appendix C: Likelihood Table .................................................................................................... 20
9.4 Appendix D: Risk Matrix ............................................................................................................. 21
9.5 Appendix E: Risk tolerances ........................................................ Error! Bookmark not defined.
9.6 Appendix F: Control definitions .................................................... Error! Bookmark not defined.
1 Introduction

Wakefield Regional Council’s Vision is:

Vibrant – Enthusiastic – Creative
Aspiring to this vision, Council is committed to an integrated approach to risk management to help
us set appropriate strategies, achieve our objectives and make informed decisions, in the best
interests of our community.
Managing risk is part of governance and leadership, is fundamental to how the organisation is
managed at all levels and will contribute to our aims of continuous improvement.
The risk management process is not an isolated function and can be applied to any activity, including
decision making, at all levels. Effective identification, analysis, evaluation and treatment of defined
risks are critical to Council achieving its objectives and meeting overall community expectations.

2 Purpose

This Framework outlines the requirements and processes supporting Council’s Risk Management
Policy. It will:
a) Align with the objectives of the Risk Management Policy;
b) Establish roles and responsibilities for managing risk;
c) Establish a standardised, formal and structured process for assessment, treatment and
monitoring of identified risks;
d) Encourage innovation by integrating risk management into the strategic and operational
processes across all departments of Council;
e) Ensure Council maximises its opportunities, while minimising any negative impacts identified
during the risk management process;
f) Ensure all risks outside the defined risk tolerances are escalated to the relevant manager and
additional treatment options implemented;
g) Ensure that (standard) reporting protocols are established for information dissemination across
all Council departments; and
h) Assist in the development of a continuous improvement culture by integrating risk management
processes into all Council functions.

3 Local Government Risk Services (LGRS)

In South Australia, certain insurable Council risks have been transferred to a number of self-
managed schemes managed by Local Government Risk Services (LGRS) via payment of an annual
contribution. The schemes are:
a) Local Government Association Mutual Liability Scheme (LGAMLS) for the purposes of Civil
Liability coverage and claims management;
b) Local Government Association Workers Compensation Scheme (LGAWCS) for the purposes of
workers compensation coverage and claims management; and
c) Local Government Asset Mutual Fund (LGAMF) for the purposes of asset and fleet coverage and
claims management.
As a member of all these schemes and the LGAMF, Council must ensure that WHS, asset and risk
management protocols are developed, endorsed and implemented across all departments.
4 Risk Management Principles

The international standard for Risk management - Guidelines (ISO 31000:2018) describes risk as:
“…the effect of uncertainty (either positive, negative or both) on objectives…”
The goal is not to eliminate all risks, but rather to manage risks involved in Council’s functions and
services and to create and protect value for our stakeholders and community.
ISO 31000:2018 is based on the following eight principles, which underpin this Framework and guide
how we manage risk across Council:
Integrated An integral part of all organisational processes
Part of decision making Aids decision makers in making informed choices and
identifying the most effective course of action

Structured and comprehensive Contributes to efficiency and to consistent/comparable results

Best available information Based on historical and current information, as well as on future
expectations, taking into account any limitations associated with
such information and expectations

Customised Aligns with internal/external context related to our objectives

Human and cultural factors Recognises that the behaviour and culture can significantly
influence the achievement of objectives

Inclusive Requires appropriate and timely involvement of stakeholders to

enable their knowledge, views and perceptions to be considered

Dynamic Anticipates, detects, acknowledges and responds to changes in

Council’s internal and external contexts that result in new risks
emerging and others changing or disappearing

Continual improvement Learning and experience drives continuous improvement

5 Risk Management Framework

Integration

Improvement Design

Leadership &
commitment

Evaluation Implementation

5.1 Leadership and commitment

Council and its leadership team will demonstrate leadership and commitment to ensure that risk
management is integrated into all organisational activities by:
a) Developing and implementing risk management policy, framework and supporting tools and
processes;
b) Allocating appropriate resources for risk management; and
c) Assigning roles, authorities, responsibilities and accountabilities with respect to risk
management and communicating these at all levels of the organisation.

5.2 Integration

This Framework provides the methods and processes Council uses to manage risks and identify
opportunities in every part of the organisation.
Governance guides the direction of the organisation and provides the rules, processes and practices
necessary for Council to achieve its objectives. Management structures that define risk management
accountability and oversight roles across the organisation are critical to achieving the strategy and
objectives required for Council to achieve sustainable performance and long-term viability.
Risk Management is not just about the risk assessment process nor is it a stand-alone discipline. To
maximise risk management benefits and opportunities, it requires integration through Council’s
entire operations, as follows:
 Strategic &
business plans/
decisions
Information/
Legislative
Data compliance
management

Performance Enterprise risk

management Service delivery
management

Business
continuity &
Internal audit
disaster
recovery
Emergency
management

5.2.1 Enterprise Risk Management

Enterprise risk management covers strategic and operational risks.

Strategic Risks are identified by reference to both the external environment and
Council’s Strategic Management Plan objectives. Strategic risks are monitored by the
Executive and Elected Member body, with all risk assessments captured in the Risk
Register and recorded within Council’s Record Management System.
Operational Risks arise from Council’s day-to-day departmental functions and
operations to deliver essential services. Operational risks are monitored by Council’s
Management Executive and their teams.

5.2.2 Strategic & Business Planning/Decision Making

Strategic and business planning, including long-term financial planning and annual
budget setting, must consider risks facing Council in setting and pursuing its objectives
and the effectiveness of systems in place to manage and communicate those risks.
Risk Management is integrated into governance structures, including decision making.
Risk assessment and management processes are incorporated into Council and
Committee reports, where there is a potential impact on achievement of Council’s
objectives or on the wider community.
Council members are expected to:
a) Give adequate consideration to risks when setting Council’s objectives;
 b) Understand the risks facing Council in pursuit of its objectives;
c) Oversee effectiveness of systems implemented by the organisation to manage risk;
d) Accept only those risks that are appropriate in the context of Council’s objectives;
e) Consider information about such risks and make sure they are properly
communicated to the appropriate stakeholder or governing body.

5.2.3 Legislative Compliance

Councils are subject to the Local Government Act (SA) 1999 along with a range of other
Acts, Regulations and Codes of Practice and Standards. Council has implemented a
Work Health and Safety (WHS) system to manage health and safety risks to workers and
members of the public, in accordance with the WHS Act (SA) 2012. WHS is a critical
component of Council’s risk management system and addresses risks facing workers
conducting their specified duties.

5.2.4 Service Delivery

Risk exposures vary according to the functions, facilities and services Council provides
and these change over time. Council’s processes will address both the risks associated
with provision of functions, facilities and services (e.g. capacity and resources) and risks
arising from their delivery (e.g. public safety and community reaction).

5.2.5 Emergency Management

Council plans for, and undertakes, prevention, preparedness, response and recovery
activities to support its community in the event of emergencies and natural disasters.
This process includes alignment and co-operation with lead agencies and other Councils
in the region as well as providing information and training for workers to protect them
from harm while responding to emergencies and natural disasters.

5.2.6 Business Continuity Plan (BCP)

Council is obliged to ensure that critical business functions continue after a business
interruption. Council has developed its BCP, taking into consideration reasonably
foreseeable risks and their potential impact on achievement of Council’s objectives. The
BCP is designed to manage risk by limiting or reducing the impact of a disruption, (such
as severe weather event or loss of key personnel), and enable the resumption of critical
business functions/services of Council following a disruption.

5.2.7 Performance Management

Both risk and performance management start with establishing and communicating
corporate goals and objectives and developing strategies which are then cascaded
throughout the organisation. Appropriate measures and reporting structures will be
put in place to monitor the effectiveness of Council’s risk management processes (at
individual/organisational level), which will in turn help identify gaps or emerging risks.

5.2.8 Information/Data Management

Critical to the achievement of Council’s objectives is that it retains data and corporate
knowledge, and there are regulatory requirements to do so (under the State Records
Act 1997, Commonwealth Privacy Act 1988 and Freedom of Information Act 1991).
Council’s records may be vulnerable to cyberattack, malicious intent or unauthorised
release, should appropriate risk mitigation strategies not be in place.
5.3 Design

5.3.1 Understanding the organisation and its context

Those involved in risk management processes must understand factors internal and
external to Council that may influence its ability to achieve its objectives. Council’s risk
management culture, organisational structure, strategy and objectives are factors that
define Council’s internal context. The external environment may include a range of
factors including (but not limited to):
a) Increased legislative and compliance requirements;
b) Reduced funding from State government;
c) Community expectations; and
d) Social, cultural, political, technological, economic, natural and built environment.

5.3.2 Roles and responsibilities

The following risk management roles and responsibilities ensure a transparent approach
to managing risk within Council.
Roles Responsibilities
Council • Endorse Council’s Risk Management Policy
• Review and consider any report or recommendations regarding the
Risk Management Framework
• Ensure risks are adequately considered when setting Council’s
strategies and objectives
• Understand risks facing Council in pursuit of its objectives
• Ensure there is a systematic and effective approach to managing
risk and opportunity across Council operations that is
implemented, monitored and communicated
• Apply risk management principles to decision making
• Monitor Council’s strategic risks

Audit • Review and endorse the Risk Management Framework

Committee • Ensure a framework is implemented and delivers a consistent
approach to risk management by assigning authority, responsibility
& accountability at appropriate levels within the organisation
• Review reports from management and auditors and monitor that
effective enterprise risk and opportunity management controls
have been implemented

Chief Executive • Promote a strong risk management culture by providing firm and
Officer (CEO) visible support for risk management including ensuring appropriate
accountability for risk management
• Ensure a customised policy and framework are in place and
implemented that deliver a consistent approach to risk
management
• Ensure appropriate resources are allocated to managing risk
• Ensure managers have necessary knowledge and skills to effectively
fulfil risk management responsibilities and are accountable for risks
arising from activities of their departments
• Regularly review Council’s strategic and operational risks
 Roles Responsibilities
Management • Commitment to, and promotion of, the Risk Management Policy
Executive Team and Framework
• Monitor Council’s overall risk profile and mitigation strategies
• Ensure that risk management is embedded into all critical functions
and activities
• Ensure documentation of items on the risk register and ongoing and
regular reviews of the risk register including the actioning of any
overdue risk treatments
• Include risk treatments into departmental plans
• Empower staff to actively be involved in managing risk
• Promote a proactive risk culture in accordance with business
management initiatives
• Regularly review risks on the risk register (at least annually)
• Review Council’s Strategic Risks
Corporate • Provide guidance and assistance to staff in relation to this
Services framework and reporting within the Risk Register
Manager • Ensure relevant risk information is reported and escalated to the
Management Team or Audit Committee or cascaded to staff
• Maintain the Risk Management Policy and Framework to ensure its
currency and accuracy
• Maintain the Risk Register and timeframes as required
• Provide support and advice to managers and staff in the application
and use of the Risk Management Framework
Employees, • Understand the risk management processes that are integrated into
Volunteers & all Council activities
Contractors • Identify, evaluate, report and manage risks in their daily activities
and projects
5.4 Implementation

This framework is supported by a plan that includes timeframes and resource requirements
and processes for engagement with, and provision of information to, stakeholders.

5.5 Evaluation

Council will undertake periodic reviews of its risk management framework to ensure it
remains meaningful and current.

5.6 Improvement

Council will monitor and adapt its framework, with a view to continually improve the
suitability, adequacy and effectiveness of the risk management process.
6 Risk Management Process

Good risk management practices ensure Council can undertake activities knowing that measures are
in place to maximise the benefits and minimise the negative effect of uncertainties.
Risk management involves both the management of potentially adverse effects as well as the
fulfilment of potential opportunities. The risk management process is an integral part of
management and decision-making. The dynamic and variable nature of human behaviour and
culture should be considered throughout the risk management process.
Although the risk management process is often presented as sequential, in practice it is iterative.

6.1 Communication and Consultation

Establishing communication and consultation with internal and external stakeholders is critical to
the success of the risk management process. Effective communication and consultation throughout
the process is essential to ensure that those responsible for implementing risk management, and
those with a vested interest, understand the basis on which risk management decisions are made
and why particular actions are required.
Council will engage with stakeholders throughout the risk management process to:
a) Correctly identify risks and understand context;
b) Gain a better understanding of the views and interests of stakeholders and how their
expectations may be managed;
c) Capitalise on the diversity of knowledge, opinions and experience to enhance identification and
management of risks and opportunities; and
d) Build a sense of inclusiveness and ownership amongst stakeholders,
6.2 Scope, context and criteria

6.2.1 Defining the scope

Because the risk management process is applied at different levels throughout the
organisation, it is important to define the scope including:
a) Goals and objectives of risk management activities;
b) Proposed outcomes and timing;
c) Responsibilities and accountabilities for the risk management process;
d) Risk management methodologies;
e) Processes, activities and projects and how they may interact with other processes,
activities and projects of Council;
f) How effectiveness and/or value will be measured and monitored; and
g) Availability of resources to managed risk.
6.2.2 Defining the context

Defining the context is important because risk management takes place in the context
of Council’s objectives and activities and organisational factors can be a source of risk.
The context should reflect the specific environment of the activity to which the risk
management process is to be applied, and consider the factors outlined in 5.3.1.

6.2.3 Defining risk criteria

Risk criteria are used to evaluate the significance of risk and are reflective of Council’s
values, objectives and resources and the views of its stakeholders. Council’s risk criteria
are documented throughout this framework and its appendices.
While risk criteria are established at the beginning of the risk management process,
they are dynamic and should be continually reviewed and amended, if necessary.

6.3 Risk Assessment

6.3.1 Risk Identification

The aim of risk identification is to develop a list of events that may occur which - if they do -
are likely to have an impact on the achievement of Council’s objectives, as stated in its
Strategic Management Plans. Council identifies, assesses and treats risk in three groups:

Strategic Risks associated with high level strategic goals that align to Council’s
Strategic, Annual and Business Plans. Strategic risks may affect the
achievement of Council’s corporate objectives. They are key issues for the
management and impinge on the whole business rather than a business unit.
These risks can be triggered from within the business or externally. In other
words they may prevent the organisation from achieving its strategic goals.
Operational Risks associated with departmental functions and daily operations to deliver
services. Often the risks are cost overruns, supply chain/logistic issues,
employee issues, fraud, WHS, non-compliance to policies and procedures.
Project Risks associated with project management that may affect milestones
connected to delivering a specific project.
 Risk identification is a process of formally documenting the effects of uncertainty on
objectives. The aim is to work with stakeholders, where relevant, to generate a list of risks
based on impacts or events. During the identification process, there are a number of
questions that need to be asked to capture the information required:
a) What might happen/ what could go wrong?
b) What is the cause?
c) How does this affect the objective?
After a risk is identified, it is captured in the Risk Register in these categories:

Financial/
Strategic Governance Legal
procurement

HR/
Public WHS Asset
organisational

Environmental Information

Risk identification must be comprehensive as risks not identified are excluded from further
analysis. Care must be taken to identify and define risks, rather than causes or consequences.

6.3.2 Risk Analysis

Risk analysis involves developing an understanding of a risk. It provides an input to risk

evaluation and to decisions on whether risks need to be treated, and the most
appropriate risk treatment strategies and methods. The tables included in the
appendices are Council’s tools for expressing the consequence, likelihood and level of
risk as well as Council’s risk tolerance.

6.3.2.1 Inherent and residual risk

A “risk rating” can be determined by combining the estimates of effect

(consequence rating) and cause (likelihood rating). The risks are to be assessed
against all consequence categories; and the highest consequence rating will be used.
The first rating obtained will be the inherent risk rating (i.e. the level of risk at time
of risk assessment with no controls). Once further and additional controls are added
to reduce the consequence and/or likelihood, the risk is rated again to determine
the residual risk (i.e. the level of risk remaining after risk treatment).

6.3.2.2 Risk appetite

The Management Team, in consultation with Elected Members, is responsible for

defining Council’s risk appetite, taking into consideration the nature and extent of
 the risks Council is willing to take in order to achieve its strategic objectives. The
following questions are considered in deriving Council’s risk appetite:
a) Do decision makers understand the degree to which they are permitted to
expose Council to the consequences of an event or situation?
b) Does the Management Team understand their aggregated and interlinked level
of risk to determine whether it is acceptable or not?
c) Do the Council and Management Team understand the aggregated and
interlinked level of risk for Council as a whole?
d) Are Council and Management Team clear risk appetite is not constant (i.e. there
must be flexibility to adapt built in)?
e) Are risk decisions made with full consideration of reward? The appetite needs to
help Council and the Management Team take appropriate level of risk for
Council, given the potential for reward.
Council’s risk appetite will be included in Council’s regular monitoring and review
process of the Risk Framework. This review of appetite will be incorporated into the
structure of Council at each level of responsibility due, in part, to the differing
focuses with regards to the risks that Council faces at each of these levels.

6.3.2.3 Risk tolerance

Not all risk types for Council are the same in terms of their acceptability. Once a risk
has been analysed, it needs to be compared to Council’s tolerance levels. Tolerance
can be described as the organisation’s readiness to bear each of the risks (after
implementation of controls) in order to achieve its objectives.
If the assessed risk level is above the tolerable level for that category of risk then
treatment may be required. If it is equal to, or below, the tolerable level for that
category of risk then the risk can be accepted (provided controls are implemented).
The tolerance level for each residual risk specific to Council and its objectives is:
Zero Willingness to accept no risk at all
Low Willingness to accept very little risk
Moderate Willingness to accept some reasonable risk
High Willingness to accept a high level of risk
6.3.3 Risk Evaluation

Risk evaluation is the process used to help make decisions about which risks need
treatment and the priority for applying controls. Decisions should include consideration
of tolerance of the risks borne by parties other than Council. There are also
circumstances when, despite the risk level, risks cannot be treated. Refer Appendix E.

6.4 Risk Treatment

Risk treatment can be conducted using a variety of methods. When looking at risks,
treatments are aimed at reducing or removing the potential for consequences occurring.
When looking at opportunities, treatments look at ensuring that consequences are realised.
Risk treatment involves selecting one or more options for modifying risks, and implementing
those options. Once implemented, treatments provide or modify the controls. An action
should be implemented to treat certain risks.
Justification for risk treatment is broader than economic considerations and should take into
account Council’s obligations, voluntary commitments and stakeholder views. Appropriate risk
 treatment options should have regard to Council’s objectives, risk criteria and resources.
Council will tolerate a level of risk, in accordance with the risk tolerances set out in Appendix
E. Any risk that is rated at or below a tolerable level of risk should be monitored and reviewed
in line with relevant department processes and systems as discussed in Section 6.3.2.

6.4.1 Risk treatment options

Risk treatment options may include:

Eliminate: Remove asset/service completely to eliminate the risk;
Share: Allocate risk to a third party, such as appropriate contactor;
Mitigate: Implement a type of treatment control to reduce or remove the risk. This
may include but is not limited to options such as substitution (swapping), isolation
(barricade), engineering (modify by design) or administration (policy/process);
Accept: Risk can be accepted for a number of reasons including:
• No extra treatments being available;
• Meets the stated target for the type of risk;
• Informed decision has been made about that risk; and
• Risk treatment is worth more than the risk exposure.

6.4.2 Control characteristics

Risk treatments need to be sufficient to mitigate that risk, and must have some of the
following characteristics if they are to become an adequate control:
a) Documented (e.g. Policies, procedures, task lists, checklists)
b) Systems-oriented (e.g. integrated and/or automated)
c) Preventative (e.g. system controls) or detective
d) Consistent and regular (including during staff absence)
e) Performed by competent and trained individuals
f) Clear responsibility and accountability
g) Create value (i.e. benefits outweigh costs)
h) Achievable for the organisation (based on available resources)
i) Evidenced
j) Confirmed independently

Control definitions are as follows:

Adequate – the design of the control is such that it can give reasonable assurance the
risk will be mitigated – i.e. existing systems and procedures cover known circumstances
and provide reasonable assurance for majority of risks.
Inadequate – the design of the control is not sufficient enough to give reasonable
assurance that the risk will be mitigated. There may be no systems and procedures in
place, or existing systems and procedures are obsolete and require review.
Effective – the control operates in a manner that is consistent, complete, reliable and
timely.
Ineffective – the control does not or partially operates in a manner that is not effective
in terms of being consistent, complete, reliable and timely.
6.4.3 Preparing and implementing risk treatment plans

Risk treatment plans specify how the treatment options will be implemented, so those
involved understand what arrangements are in place and to allow progress to be
monitored. Risk treatment plans may be integrated into Council’s existing processes,
(e.g. project management plans, risk registers) and provide the following information:
a) Rationale for selection of treatment options;
b) Responsibilities and accountability for approving and implementing the plan;
c) Proposed actions and timeframes;
d) Resourcing requirements;
e) Constraints and contingencies; and
f) Required reporting and monitoring.
6.5 Monitoring and Review

6.5.1 Review of risks and controls

Monitoring and review must be a formal part of the risk management process and
involves regular checking of effectiveness and efficiency of the processes implemented.
A monitoring and review process will:
a) Ensure that implemented controls are effective and adequate;
b) Provide further information to improve risk assessment and treatment plans;
c) Allow for the identification of emerging risks;
d) Identify (new) activities that may influence established strategies to mitigate risks.
It is essential to monitor all activities and processes to capture any new or emerging
risks arising from the changing environment (internal/external) and Council activities.
Monitoring and review guidelines and timeframes are captured in the Risk Reporting
structure. See section 8.

6.5.2 Project risks

Due to the dynamic nature of most projects, a risk may change over the lifecycle of the
project, triggering the need for reassessment. The monitor and scheduled review
process allows for validation of risks to ensure they remain relevant and adaptation of
project plans as necessary. Any changes in risks throughout the project and after its
completion should be recorded and used for future project planning.

6.5.3 Review of Risk Management Framework

The review of Council’s risk management framework and processes will be scheduled
for completion within three years from endorsement.
7 Recording and reporting

7.1 General

The risk management process and its outcomes are documented and reported to:
a) Communicate risk management activities and outcomes;
b) Provide information for decision making;
c) Continuous improvement;
d) Assist interaction with stakeholders, including those with responsibility and accountability
for risk management activities.
Records will be managed and retained in accordance with State Records General Disposal
Schedule for Local Government.

7.2 Risk register

The Risk Register enables Council to document, manage, monitor and review strategic, project
and operational risk information in order to build a risk profile and provide direction on how
to improve risk management processes. The Risk Register can be used to monitor whether,
using the approach outlined in this framework, the risk management process for opportunities
is resulting in an increasing trend towards potential for success and less risk with negative
consequences.

7.2.1 Strategic Risks

Council will identify and record strategic risks on the Risk Register. Strategic level risks
are identified by the Management Team and the Council, as part of an annual review at
a minimum. Any risks identified at the strategic level may be reflected in other
corporate documents e.g. Strategic Plan, Annual Business Plan, Asset Management
Plans and mitigated through action details in these documents, however these should
be collated in the Risk Register for ease of monitoring and review.
Recording and reporting of strategic level risks is the responsibility of the Corporate
Services Manager via the Management Team and Audit Committee.

7.2.2 Operational Risks

Council will record and maintain operational risks on the central Risk Register, which is
reviewed at least annually by Departmental Managers. The Risk Register will
incorporate departmental risks and proposed mitigation techniques, as determined by
the evaluation process. Recording operational level risks in the register and reporting of
implementation and effectiveness of controls is the responsibility of Managers and
workers.

7.2.3 Project Risks

Project level risks can be identified by anyone at any time prior to, and during, specified
projects and are recorded within the Risk Register. Project level risks must be identified
during the planning process, however can be added as and when necessary. Recording
and reporting of project level risks rest with the identified project owner.
7.3 Risk reporting

7.3.1 Purpose

Risk based reports will draw data from the Risk Register and provide monitoring and
profile information to Council, Audit Committee and the Management Team in order to:
a) Understand the risk exposure of the Council;
b) Identify risks that require increased attention and action;
c) Provide risk information to the Council, especially anything affecting the Strategic
Management Plan;
d) Provide information to all workers at all levels to make risk informed decisions; and
e) Improve the Risk Management awareness and culture at Council.

7.3.2 Content

Risk reporting will include:

a) All Council and Committee reports to include discussion of potential risks, based on
completed risk assessment and treatments;
b) An annual review and update of the Risk Register by Managers, (or as otherwise
required, e.g. organisational structure change/ process change/ new project);
c) Quarterly review of Extreme/High operational risks by Management Team provided
to the Audit Committee;
d) Annual review of strategic risks by Management Team, preferably prior to the
annual budget process;
e) All new and emerging strategic risks reviewed by Management Team as required;
f) Any risks rated as HIGH or EXTREME after the consideration or implementation of
treatment options are reported to Council’s Audit Committee.

8 Training

8.1 Workers: this framework and supporting policies and tools will be made available to all
workers through the intranet. Council’s Training Needs Analysis (TNA) is a tool used to:
a) Capture legislative training and/or licencing requirements, and
b) Identify individual tasks within specific jobs and the core competencies required for the
safe performance of those jobs.
Risk Management awareness training is captured on Council’s TNA, to ensure the effective
implementation of this Framework. Risk Management is overarching across all functions, not
as a specialist skill that is owned by a designated risk management position. Risk management
awareness will be provided by Council to relevant workers and will take into consideration the
role of the worker within the Risk Management Framework.

8.2 Elected Members: Elected Members are key strategic decision makers and it is imperative
they understand the Risk Management Policy and Framework and their role in informed
decision making based on sound risk management principles. Risk Management awareness
training will be scheduled within 12 months of Council elections.

8.3 Audit Committee: Audit Committee members should, as a minimum, understand their roles
and responsibilities as outlined in Council’s Risk Management Policy and Framework, including
the monitoring and review of risk management reports and outcomes from management and
external auditors.
9 APPENDICES

9.1 Appendix A: Definitions

Assurance: Process that provides a level of confidence that objectives will be achieved within an
acceptable level of risk.
Consequence: Outcome of an event (qualitative or quantitative) – i.e. loss, injury, disadvantage, gain.
Controls: Measure that modifies risks and increases the likelihood that objectives and goals of
an organisation will be achieved.
Enterprise Risk Process applied in strategy setting and across the organisation, to identify potential
Management: risk, manage risk within its risk appetite, and provide reasonable assurance regarding
the achievement of Council’s objectives.
Exposure: Qualitative value of the sum of the consequence of an event multiplied by the
likelihood of that event occurring.
Inherent Risk: Risk at time of risk assessment without existing/current controls.
Likelihood: Chance of something happening.
Monitor: To check, supervise, observe critically or record the progress of an activity, action or
system on a regular basis in order to identify change.
Operational Risks: Risks associated with department functions and daily operations to deliver services.
Reasonable The concept that enterprise risk management, no matter how well designed and
assurance: operated, cannot guarantee that an entity’s objectives will be met.
Residual Risk: Rating of the risk remaining after risk treatment or control has been applied.
Risk Analysis: Systematic use of available information to determine how often specified events may
occur and the magnitude of their consequences.
Risk Appetite: The amount of risk Council is prepared to accept or avoid in pursuit of its mission.
Risk Assessment: An overall process of risk identification, risk analysis and risk evaluation.
Risk Culture: The behaviours that lead to how every person thinks about and manages risks.
Risk Escalation A risk management system whereby an increasingly higher level of authorisation is
Process: required to sanction the continued tolerance of increasingly higher levels of risk.
Risk Evaluation: The process used to determine risk management priorities by comparing the level of
risk against predetermined standards, target risk levels or other criteria.
Risk Management: Coordinated activities to direct and control an organisation with regard to risk.
Risk Management Set of components that provide the foundations and arrangements for designing,
Framework: implementing, monitoring, reviewing and continually improving risk management.
Risk Owner: Staff member with the accountability and authority to manage a risk.
Risk Rating: Risk priority based on consequence and likelihood assessments.
Risk Register: Register of all identified risks, their consequences, likelihood, rating and treatments,
reviewed on a periodic basis.
Risk Tolerance: Readiness to bear the risk after risk treatment/control has been applied.
Risk Treatment: Risk modification process – usually what Council is going to do (modify) with the risk
based on its residual risk rating – I.e. Avoid, Reduce, Transfer, Accept, Share.
Risk: An event or uncertainty that will stop an organistion to achieve its objectives.
Stakeholder: Person or organisation that can affect, be affected by, or perceive themselves to be
affected by, a decision or activity.
Strategic risks: Risks associated with high level strategic goals that align to Council’s Strategic, Annual
and Business Plans and may affect achievement of Council’s objectives.
9.2 Appendix B: Consequence Table

CONSEQUENCE
Level Descriptor Financial People Reputation Environmental Service Delivery
1 Catastrophic Significant financial loss Major injury/ Potential national media Major loss of Major interruption to
(> $600k). Loss of disablement or death. attention. Prolonged environmental delivery of all or most
Business operation. Long term effect on media/ political amenity; irrecoverable services for more than
Multiple financial year morale and business attention. Irreparable environmental 14 days. Full BCP
impact performance reputation damage damage action required.
2 Major Major financial loss Serious Long Term Regional or State wide Severe loss of Major interruption to
($250-$600k). Major Injury. Temporary media attention. Public environmental services, customer
impact on Business disablement. interest. Long term amenity, danger of impact 7 – 14 days.
Operations. Multiple Significant impact on effect on reputation continuing Full or partial BCP
financial year impact. morale and business environmental action may be needed.
damage
3 Moderate Moderate financial loss Significant Injury Significant Media Moderate impact to Moderate Interruption
($60-$250k). Moderate requiring medical Attention. Significant environment. to service delivery.
impact to business attention. Short Term Public interest. Potential Localised damage that Customer impact up
operations. May effect on morale and for adverse local media has potential to to 48 hrs. Partial BCP
impact beyond current business or potential attention spread and reversed action may be needed
financial period with intensive efforts
4 Minor Minor Financial Loss Minor Medical Some local media or Minor impact to Minor interruption to
($10-$60k). Minor attention. Negligible political attention. environment. Can be a service with minimal
financial disruption/ impact on morale Community concern – reversed in the short impact to
variation to budget little adverse effect term customers/business
5 Insignificant Negligible Financial No Injury/First Aid No Media or Political Minor Instance of Interruption to a
Loss (< $10k). No real only. No impact on Attention. Some local environmental service – no impact to
disruption to business morale complaints damage. Can be customers/business
reversed immediately
9.3 Appendix C: Likelihood Table

LIKELIHOOD

Level Descriptor Description Likelihood (%)

A Almost Certain Expected to occur at times of normal operations (more 90% chance
than once per year)

B Likely Will occur at some stage based on previous incidents 50% to 90% chance

C Possible Not expected to occur but could under specific 25% to 50% chance
circumstances

D Unlikely Conceivable but not likely to occur under normal 5% to 25% chance
operations (no previous occurrence)

E Rare Only occurs in exceptional circumstances < 5% chance

9.4 Appendix D: Risk Matrix

Consequence

Likelihood
1 2 3 4 5

(Catastrophic) (Major) (Moderate) (Minor) (Insignificant)

A (Almost Certain) E E H H M

B (Likely) E E H M M

C (Possible) E H M M L

D (Unlikely) E H M L L

E (Rare) H M L L L
9.5 Appendix E: Managing Risk

RISK LEVEL MANAGING RISK – PRIORITY RATING

EXTREME • Escalate risk issue immediately to Chief Executive Officer / Management Executive
• Add risk to Council’s Risk Register
• Chief Executive Officer / Management Executive to:
o Refer risk to risk owner
o Identify and develop treatment strategies for immediate action
o Monitor and review actions/strategies
o Provide direction and information to relevant stakeholders

HIGH • Escalate risk issue to Management Executive

• Add risk to Council’s Risk Register
• Management Executive to:
o Refer to risk owner
o Identify and develop treatment strategies with appropriate timeframes
o Monitor and review actions/strategies to manage risk to an acceptable level
o Provide direction and information to relevant stakeholders

MODERATE • Manage within Department.

o Identify and develop treatment strategies with appropriate timeframes
o Advise risk management area to add risk and treatment to Council’s Risk Register
o Monitor and review actions/strategies to manage risk to an acceptable level

LOW • Manage within Department

o Undertake localised risk management & actions (if required)
o Advise risk management area to add risk and treatment (if any) to Council’s Risk Register
o Review within the Department parameters